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Legal notices 


Copyright © 2024 Cellebrite DI Ltd. All rights reserved. 


This document is delivered subject to the following conditions and restrictions: 

” This document contains proprietary information belonging to Cellebrite DI Ltd. Such 
information is supplied solely for the purpose of assisting explicitly and properly authorized 
users of Inseyets Offline UFED. 

” No part of this content may be used for any other purpose, disclosed to any person or firm, 
or reproduced by any means, electronic or mechanical, without the express prior written 
permission of Cellebrite DI Ltd. 

” The text and graphics are for the purpose of illustration and reference only. The 
Specifications on which they are based are subject to change without notice. 

” Information in this document Is subject to change without notice. Corporate and individual 
names and data used in examples herein are fictitious unless otherwise noted. 


Warnings 


FCC WARNING: This device complies with part 15 of the FCC rules. Operation is subject to the following 
two conditions: 


1) This device may not cause harmful interference. 


2) This device must accept any interference received, including interference that may cause undesired 
operation. 
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1. Introduction 


Cellebrite Inseyets Offline UFED combines Cellebrite access and extraction technologies to deliver 
increased efficiency and power for mobile forensic investigations. 


Inseyets Offline UFED is available with the new Turbo Link adapter. Both the Inseyets Offline UFED 
software and the Turbo Link hardware are based on Cellebrite’s newest technology. 


Cellebrite Inseyets Offline UFED, lets you perform full file system and physical extractions in an easy 

way that was not previously available. These extractions are the richest types of extractions possible. 
They can access highly protected areas such as third-party application data in both Android and iOS, 

iOS Keychain and Android Keystore data needed for decrypting encrypted applications. You will also 

have access to data stored in Android secured containers. 


Cellebrite Inseyets Offline UFED also enables you to recover passcodes and unlock the latest Android 
and Apple devices. 


1.1. Document Scope 
This user manual is a concise guide that explains how to install and operate Inseyets Offline UFED. 


1.2. System Requirements 


The following table indicates minimum and recommended system requirements. Where applicable, 
requirements for using Triage capabilities are also indicated. 
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Minimum: Windows compatible PC with Intel i5 or compatible 
running 1.9 GHz or higher, 4 Cores 
Triage: 
Minimum: Windows compatible PC with Intel i5 or compatible 
running 1.9 GHz or higher, 4 Cores 
PC Recommended: 
13th Generation Intel® Core™ 19 Processor 

> 24 total cores 

* Max Turbo Frequency up to 6.00 GHz 

* 36 MB Intel smart cache 


> Microsoft Windows 11, 64-bit 
Operating System 
Microsoft Windows 10, 64-bit 


> Minimum: 16 GB 

* Recommended: 32 GB 
Memory (Ram) Triage: 

” Minimum: 32 GB 

” Recommended: 64 GB 


150 GB of free disk space for installation 
Triage: 


Internal storage 
requirement Minimum: 250 GB 


> Recommended: 500 GB 


> Minimum: 15MB/s 
Network 
Recommended: 100MB 
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One port is required from each of the following ranges: 35100- 


ineemmalners 35500, 55100-55500, 2001-2010,20100-20900, 15002-15011 


Triage: One port is required from the following range: 5000-5010 


Administrator rights are only required for installing the 


Permissions 
application. 


1.3. Inseyets Offline UFED Application Installation 


To install the Inseyets Offline UFED online application, do the following: 


1. Log in to MyCellebrite (https://community.cellebrite.com/). If you do not have a MyCellebrite 
account, please sign up for one. 


2. Inseyets Offline UFED requires a MAX dongle type. If you haven’t verified it yet, please refer to the 
article How to Check Your Dongle Type. 


3. If your dongle is already registered, skip to step 6. 
If your dongle is not registered yet, go to Products & Licenses and click Register Device. 


Lcerses 


4. Type in your Serial Number and click Next. 
(The serial number and dongle ID are usually found attached to the license dongle itself. The serial 
number, dongle ID, and dongle type, are also displayed in the license loader message window when 
you connect the dongle to the USB port.) 


Register New Device 
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5. Type in your dongle ID Number and Name your device. Click Next. 


Register New Device 


© 


Complete this held 


© 


6. Go to Products & Licenses tab and under the License tab, identify your dongle serial number. Verify 
if your dongle contains the Inseyets Offline UFED license. 


If yes, skip to step 8. 


2.2 Cellebrite 


Two-factor Authentication 


improving sé ire 


7. Under the Products & Licenses tab, click the Subscriptions tab and identify your Subscription 
number. Then click Add Serials. You will be prompted to select from the list of serial numbers. Select 
the relevant serial numbers you want to associate with the Inseyets Offline UFED. 


Products Licenses Tryourproducts Wallets Subscriptions 


vy v v v v 


Wf onae eae 


( Add Serials) 
XM r 


SUB-054! Inseyets Pro UFED 1 30/09/2026 16 _— 


If the Subscriptions tab is not displayed, please reach out to your Sales representative or our 
Technical Customer Support team. 


User Manual 9 


8. Download and install Cellebrite License Tools. 


Products Licenses Tryourproducts Wallets Subscriptions 


Update your products with latest versions and add-ons. 


Cellebrite License Tools 


9. Connect your license dongle and launch the Cellebrite License Tool. 
Select your license type; Dongle or Software. 


6 Cellebrite License 


Cellebrite product license 


Your software license requires an update. 
Please select your license type: 


Dongle Software 


Verify that your dongle is connected, and the serial number appears under Dongle serial ID and click 
Activate. 
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@ Cetecr se License 


Cellebrite product license 


1. Generate C2V file 2. Upload C2V file 3. Load license file 


Click generate to create Go to MyCellebrite and uplood Load the file (* zip) received 
computer ID file (*.C2V) the (*.C2V) file from MyCellebrite 


community. celletxite. com @ 


If the activation succeeded, continue with Step 10. 
If the activation failed, proceed with the manual activation, performing Steps a to f. 
a. Inthe Cellebrite License Tool, click Generate and save the .C2V file. 


b. In MyCellebrite , select the Licenses tab, and click Download License. 


Products Licenses Try our products 


Active Products 


ber 7389455945TestAssct AddName #* 


c. Upload the .C2V file and click Submit. 
Download License 


Upload c2v file 


d. The license file (*.zip file) will be automatically downloaded to your Downloads folder on your 
PC, 
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e. Return to the Cellebrite License Tool and in the Cellebrite License dialog click Load. 


f. Select the license file and your license will be activated. 


10. Goto the Products tab and download the Inseyets Offline UFED application. 


A 


Products Licenses Tryourproducts Wallets Subscriptions 


+ Start a trial + Register Device 


Update your products with latest versions and add-ons. 


+ 
UFED 


Cellebrite Inseyets UFED 


See licenses * 
Download Latest version updatedDec 13, 2023) | | oa o 


Install and launch the Inseyets Offline UFED application. You are now ready to start using Inseyets 
Offline UFED. 


ae 
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2. Application Usage 


The Home screen displays the following options and information: 


» 


iOS, Android, and UFED 
” The options icon at the top right corner (for accessing Settings, Help, and Support) 
” The version number of the application 


* The version number of the Resources package 


” Resource connection indicator (Green circle with checkmark for an established connection or red 
circle with X for no connection) 


[Milinsoyets UFED 10.1.0.16 


Ins bd ts UFED 


To perform 
advanced access, 
choose an operating 
system 


i Search Supported Devices 


2.1. General Flow 


The general workflow is as follows: 

1. Open the Inseyets Offline UFED application. 

2. Select the device type. 

3. Connect the Turbo Link to the DC power source and to your computer and turn on the Turbo Link. 
4. Turbo Link initializes and begins the preparation steps. 

5. Turbo Link downloads the relevant resource packages for gaining access to the device. 

6. Connect the device under investigation to the Turbo Link. 


7. Select the relevant required action, such as Full File System (FFS) extraction. 
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2.2. Turbo Link Preparation 
The Turbo Link adapter is a hardware unit that is designed to gain access to the device under 
investigation and transfer the data stored on the device to your computer. 
Turbo Link must be connected to the following: 
* ADC power supply 
* Your computer with a USB cable 


The device under investigation 


The DC power supply and the cables are provided with the Turbo Link. 


To set up the Turbo Link do the following: 
1. Connect the Turbo Link to your computer using the USB cable. 


2. Connect the Turbo Link to the power using the power supply cable and turn on Turbo Link by 
pressing the PWR push button switch. 


3. Connect the device to Turbo Link with the appropriate cable. 
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2.3. Access 


The first stage in digital forensic investigations is to gain access to the operating system of the device 
under investigation. 


After the Turbo Link is initialized, it identifies the device, and downloads resources needed to gain 
access to the device. 


There are multiple access methods available to the Turbo Link and it typically tries several methods. 
The device characteristics determine which method succeeds in gaining access. 


2.4. Cellebrite (CLB) Mode 


Once access is gained, the user interface will be refreshed, and the device enters Cellebrite (CLB) 
Mode. Cellebrite Mode is when temporary privileged escalated access to the device has been 
obtained. The device information screen is updated, and you are presented with several extraction 
options such as Full File System, Selective, and Secure Container. 
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The Quick Insights feature provides device information while the device access is still in process. 


You can view the information in the Quick Insights tab, divided into the following categories: 
Device identifiers - includes device hardware information such as IMEI and |MSI. 
Device user - includes account information such as email addresses and AD-ID. 


Usage details - includes installed application names and Wi-Fi connections. 


Android / Locked 


Select an action 


Quick wright 


Use the Search function, to search through the available data, or use the Export function, to export the 


information as a PDF file. Exporting the data saves it to the cases’ default extraction location. 


Select an action 


Quack eights 


| 


Device identifiers (14 


swowne 


& Oevice user (6) 
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2.6. Streamline 
The automation between UFED and PA provides a streamlined end-to-end mobile forensic solution, 
that will help you: 
’ Save time to evidence 
Process more cases 
* Allocate manpower more efficiently 


By specifying the key parameters in the workflow in the beginning of the process, you can ensure that 
the extractions from UFED will automatically be communicated to PA for decoding and reporting. 


With this feature, you no longer need to keep checking if the extraction process has completed to 
know when you can transfer the extraction files to PA. The extraction process is monitored 
automatically, and when the process is completed, the extraction files are automatically loaded into PA 
for decoding and reporting. 


@® For the first release of this feature only full-file system and file system AFU 
extractions are supported. 


Since the automation feature requires a communication connection between UFED and PA, it is 
necessary to ensure that the UFED and PA are on the same machine. 


After UFED has completed the extractions from the device, and the process is in Cellebrite (CLB) Mode, 
the Automation button is displayed next to the various extraction option buttons. 


7 2° Cellebrite 
Cs 


1. When access is successful, click Streamline. 


Ins<@>ts ccc 


Android / Locked 
Select an action 


Device status 


Samsung Galaxy Galaxy S22 


20222-05-12 Full disk encryption 


Extraction path: 


@:\Extractions 


BS Progress console 


19/04/2023 16:37 - Device is unlocked / AFU 


Brute Force 


The Streamline Settings dialog opens. 


Streamline Settings 


Device status: 
Android, Locked 


Extraction: Full file 


User Data 


Snapdragon 8 


Hot 


Physical 


Case Details 


Case ID ~ 
Robbery 


Created by * 


® Commander ® Evs | Resources13.2 @0D 


Android 9 


JV 


Access 
completed 
successfully 


ae] Eee =. 


Device owner © 


Suspect 


Danny Shovevani 


Extraction Path 


Extraction Settings 


E:\Input\Extraction 


UFDR 


Report in Inseyets PA 


2. Enter the following information under Case Details, which are used by Inseyets PA to label the data 


and output report: 
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» 


” Case ID 
Device owner 
Created by 


3. Under Extraction Settings, for Extraction Path enter the path location of the extracted data, from 
where PA will take the data for decoding. It is also the location where the PA report will be located. 


4. Under Report in Inseyets PA, select one of the following report formats: 

Decoding Only 

UFDR 

PDF 

Word 

Excel 

HTML 

XML 

Relativity Short Message Format (only available with the appropriate PA license) 
” e-Discovery Load File (only available with the appropriate PA license) 


9. Click Run Streamline. 
Inseyets PA is notified that an extraction is being processed and then Inseyets PA opens a case with 
the case details that you specified in the Streamline Settings dialog. 
When the extraction is completed, if Inseyets PA is available, the extraction data is loaded and when 
Inseyets PA is available for decoding, it will begin decoding the extracted data. 
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2.7. Triage 


Cellebrite Triage enables your teams to quickly identify and prioritize digital evidence for determining 
the most effective course of action. You can leverage Triage to: 


’ Access iOS and Android devices. 
’ Perform targeted scanning, simultaneous extraction, and decoding of the relevant data types. 


* Maintain privacy by performing on-the-scene analysis by matching relevant metadata types 
without revealing the content of the data. 


Triage requires a connection between Cellebrite UFED and Cellebrite Commander. In Commander, you 
can predefine Triage profiles, which contain search criteria and priority settings, that are used for 
Triage scanning (see the Cellebrite Commander User Manual for details). Once UFED gains access to 
the device, Triage can initiate scans based on multiple profiles. When search values are found, the 
results are immediately displayed in the Triage dashboard, while simultaneously initiating extractions 
and decoding. PDF reports are then generated containing the profile details and device information. 


To set up Inseyets Offline UFED for running Triage scans, do the following: 


1. Make sure you are connected to Commander. 

2. Open Inseyets Offline UFED. 

3. Click the options icon in the upper-right corner and select the Settings option from the menu. 
4. On the System tab, check the Enable Triage Scan option. 


5. On the Commander tab, click Connect to receive the latest profiles, which you defined in 
Commander. 


6. Click Save and exit from Settings. 


To run Triage scans in Inseyets Offline UFED, do the following: 


1. Open Inseyets Offline UFED. 
2. Select the device type you want to scan. 
3. Follow the online instructions to gain access to the device. 


4. From CLB mode, select Triage Scan. 
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Select an action 


Ins : ts UFED 


Support Ticket 


Profile selection 


AY XO Refresh 


Owner name Crime type Last Modify + 


BS 8 


Drugs 


Child 


BSBSBBBBBSB SE 


a. If there is an orange dot to the left of Profiles update is available, click Refresh to update the list 
of profiles. If the dot is green, there is no need to update the list. 


b. Select one or more profiles using the checkboxes to the left of the profile names. The predefined 
profiles will shorten the scan time by focusing on the criteria that are important for your 
investigation. 


c. If necessary, you can quickly locate the profiles you need by entering the profile name or its 
owner, or the crime type in the search bar. 


6. Click Scan. The Scanning screen opens, displaying the scanning progress. 
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Scanning 


Major 


© 00:12:32 4 Profiles 


Profile 131 
4 


Very very long na... 
1 


Profile 45 


No matches found 


Profile 77 
2 


Profile 88 
1 


Profile 1981 


No matches found 


Minor 
2 Profiles 


Profile 12 
a ‘i 


Profile 68 


No mat 


Profile 778 


iches found 


a, Sears 
S 3/24 
Profiles view 


Profile 666 
2 


Profile 2 


No mi 


~, Profile 10 


) 
No matches found 


The following views are available: 


Profiles view - The Profiles view displays the profiles being scanned by Triage. At the end of the 
process, each profile is marked as Major, Minor, or no matches found. 


Content view - The Content view displays all the content types that were removed from the 
phone and were not divided into profiles. 


7. When the scanning is finished, the Scan completed screen appears. 
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Scan completed 


Profile 131 
4 


Profile 3 
1 


Profile 45 


No matches found 


Major 
4 Profiles 
Profile 77 


2 


Profile 88 
a 


Profile 1981 


No matches found 


Mine 
2 Profiles 


Profile 12 
2 1 


Profile 68 


No matches found 


Profile 778 


No matches found 


Save Extraction 


Profiles view 


Profile 666 
eh 


Profile 2 


No matches found 


Profile 10 


No matches found 


Report 


8. To save the extracted data, click Save Extraction. The Export extraction file location dialog opens. 
Enter the path where you want to save the extractions. 
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To begin the Android flow, from the Home screen, select Android. 


IW Inseyets UFED 10.1.0.16 = a x 


INS<@>ts ceca 


Welcome admin 

To perform 

advanced access, Android 
choose an operating 

system 


i Search Supported Devices 


Select Unlocked if you know the passcode to the device or no passcode is set. 


After selecting Unlocked, continue with the following steps. 
For an unlocked device, prior to starting, enable USB debugging on the device. Inseyets Offline UFED 
provides you with online instructions on how to do this. 


Android / Unlocked 


Device Preparation » 


Follow these steps for USB debugging 
@ Remove the SIM card from the device. 
02 Place the device into Airplane Mode. 
Open settings 


Enable developer options. 


(Go to: About/Information > Tap the “Build number” 7 times). 


Enable USB debugging. 


Go to “Default USB configuration”, select “File transfer’. 


07 Enable “Stay Awake” (If available) 
i‘) Device restart or automatic reboot may be required during this procedure 


Once this is done, click Continue and Inseyets Offline UFED will begin the adapter preparation steps. 
When you are instructed, connect the mobile device to the adapter. 


Inseyets Offline UFED will prioritize the Smart Flow access methods first, followed by the regular 
Android OS Access methods. 
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The following pop-up is displayed. 


@ ‘Support ticket 


i) Enter Passcode 


IF you know the passcode, enterit here, This will impact 
unlocl-attempts on the device 


Enter the passcode to verify that you have the correct passcode. You are allowed three attempts 
before an error message is displayed. For devices with no passcode, click No Passcode. 


If you enter the passcode incorrectly, the pop-up is displayed again with an explanation and counter. 


@ srronier 


i) Enter Passeode 


Invalid pasecode entered. Please try again (2/2). 
Attention: The device currently is on attempt 2 out of an 
unknown limit 


If you did not enter the correct passcode before the limit of attempts was reached, you will be 
redirected to the Home page to select the Locked flow option. 


Invalid passcode entered 


You will be redirected to the Home page. Select the 
Locked option to continue processing the device. 


0K 
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When you enter the correct passcode, the unlocked flow continues until access is gained to the device. 
The following screen is displayed, presenting you with the available extraction options. 


Select an action 


Device status 


samsung SM-G991B Exynos 2100 


13 2023-06-01 File-based Encryption (. 


Hot (decrypted) aS. 


Extraction path: 
(C.\Users\PaulL AppOata\Local\My UFED Extractions Passcode 
1235789 


Progress console 


1235789 


10/30/2023 7:45 PM - No bruteforce is currently running 
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3.2. Android Extraction Options 


The state of the device and the encryption type determine which extraction is available. 


The extraction of decryption keys takes places automatically when they are available. They are stored 
in the /extras/ folder within the extraction. These keys are needed to decrypt encrypted applications 
within Physical Analyzer. 


App Selective You can selectively target specific installed applications on the device. 


phous This extracts the entire memory range of the device which includes the 
sica 
¥ full file system, user data and unallocated space. (FDE ONLY) 


Extracts all data from the active file system. This includes the /system/ 


Full File System | location on the device and other locations. This INCLUDES the data that 


is available through User Data extraction. 


Extracts all data from /data/ and /sdcard/ locations on the device. These 
User Data locations hold most of the data that is of evidentiary value such as native 
and third-party app data and other user data. 


Secure 
Certain vendors have secure containers, Samsung Secure Folder, 
container 
Huawei Private Space, Xiaomi Second Space and Realme Cloner. 
extraction 
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4. 10S Flow 


All modern iOS devices utilize File Based encryption (FBE). This means that you require the passcode to 
the device to get a decrypted extraction. 


If the passcode is not known on the device, only limited amount of data would be available for 
extraction. 


There are two primary access methods with iOS. AFU and BFU methods. With Inseyets Offline UFED, it 
automatically applies the proper access method to the device that is connected. 


4.1. 10S Unlocked Flow 


To start the unlocked flow, click iOS, then click Unlocked. Preparation of the adapter begins. When you 
are instructed, connect the iOS device to the adapter. As mentioned in the previous section, the 
method Inseyets Offline UFED uses in the Unlocked flow depends on the device characteristics. 


When the adapter preparation is completed, Inseyets Offline UFED checks the characteristics of the 
device. If the device is one that uses the AFU method, you will be presented with certain instructions 
prior to advancing. 


1. Reboot the device. 
2. Unlock the device using the device passcode. 


3. Through the Control Center, activate the portrait orientation lock, so that the iOS device will be 
locked in portrait orientation. 


4. Enable USB Accessories (Settings -> Face ID & Passcode). 


5. Connect the device (while it is still unlocked). 
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Please note 


This method is for unlocked devices (device passcode is 
known or does not exist). 


Follow the steps below: 

1. Reboot the device. 

2. Unlock the device using the device password. 

3. Go to Settings (not the Control Center), disable WiFi 
and Bluetooth and enable Airplane Mode. 

4. Activate Portrait Orientation lock. 

5. Enable USB Accessories (Setting -> Face ID & 
Passcode) 

6. Connect device (while it is still unlocked). 


An additional reboot may be required during the process 
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You will be prompted to enter the passcode via the application. 


Enter Passcode 


If you know the passcode, enter it here 


The access process begins. There are several steps for the access process. It is important not to touch 
the device while this is taking place. This can take anywhere from 5 to 30 minutes. 


Once access is gained, the extraction options will be presented. 
OS / Unlocked 
iOS Flow 


Dewke status 


Vv 


Access 
compteted 


successfully 


If the device that you are attempting to access via the unlocked flow uses the BFU method, the options 
presented will be different. 


Inseyets Offline UFED will detect that the device needs to use the BFU flow. This flow requires recovery 
and DFU (Device Firmware Upgrade) mode. 


As part of the BFU flow the device needs to be put into recovery mode. This is an automatic step, but it 
might require manual intervention. You will be presented with instructions if the automated process 
does not work. 


4: Cellebrite 


Attention 


We were unable to automatically reboot the connected 
device into Recovery Mode. 

Follow the steps below to manually reboot the device 
into recovery mode: 


1. Press and hold the Side button and one of the volume 
buttons until the power-off slider appears. 

2. Drag the slider to turn off your device. 

3. Connect your device to your computer while holding 
the Side button. 

4. Keep holding the Side button until you see the 
recovery-mode screen. 


The popup will automatically close once the device 
successfully enters recovery mode. 


Like the recovery portion, the DFU has an automated process, but if it does not work, it will require 
manual intervention. You will be provided with instructions on entering DFU mode. 


Once access is gained to the device, you will be presented with extraction options. 


OS / Unlocked 


iOS Flow 


2073 4.43 PM . Oevice has been successfully uniocked 


Selecting Finish will finalize the process and reboot the device. 
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4.2. 10S Extraction Options 


Once access is gained to an iOS device, the ability to conduct an extraction is possible. The state of the 
device determines which type of extraction is available. 


Some applications and data require decryption keys. This data is stored in the iOS Keychain and is 
available for extraction. It will be stored in the /extras/ folder within the extraction zip file. 


Extraction _— ; 
Description Keychain 

Type 

BFU (Before | An extraction of the DE (Device Encrypted) storage. Most of 

First Unlock] the user data Is not accessible, but some information can be | Partial 

Extraction found that can be valuable. 


An extraction of a device that is in AFU state. An extraction of a 
AFU (After device in AFU does not have: 


First Unlock ” Significant Locations 
Extraction) ” Native iOS Mail 


Health data 


FFS (Full File 
The extraction of the full active file system. 
System] 


Selective Selective extraction based on application. 
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If you need to perform logical extractions from devices such as SIM cards, mass storage devices, and 
drones, or use the Quick Copy and Camera features, or the extraction capabilities for older devices, 
click on UFED on the Home screen. From the UFED menu, select the option you need. For detailed 
information, refer to the UFED 4PC User Manual, available from MyCellebrite portal. 


a] When using the UFED option — make sure the Turbo Link is not connected to the 
computer. 
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6. Upgrading 


To use the latest Inseyets Offline UFED capabilities you must upgrade to the latest application version 
to use the latest resources. 


The following upgrade methods are available: 


” CPKG - is an update package that is applied from within the application. To use the CPKG, go to 
Settings > Version > UPDATE VERSION. 


Version 8.0.0.1030 


@ UPDATE VERSION 


»> 


EXE - is a stand-alone installer for the application. 
* Automatic updates from Commander or My Cellebrite. 


To see the application version number of your Inseyets Offline UFED go to Settings screen > Version 
tab. 


When a new application version is released, do the following: 


1. Download the new Cellebrite Inseyets Offline UFED CPKG file to your computer. 


2. On Version tab, click UPDATE VERSION and select the Cellebrite Inseyets Offline UFED CPKG file 
from where you downloaded it. 
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7. Settings 


You can modify the Inseyets Offline UFED settings from the home screen. To open the settings, click 
the tools icon at the top right corner and select Settings. 


The following setting tabs are provided: 


» 


System - allows you to configure several application settings such as the user interface language 
and extraction path 


Version - displays the application version number and allows you to update the application 
Activity Log - displays the activity log and allows you to export the log 
License - displays the license information 


Commander- allows you to configure the application to be managed by Cellebrite Commander 


7.1. System Tab 


The System tab allows you to adjust the following settings: 
General settings 


” Show case details - Allows you to enter specific information about the case that will be added to 
the extraction information, for example, case number, crime type, and device owner. 


Enable collection summary report - Provides a summary report from the extraction that includes 
items such as device information, device identifiers and characteristics, and device extraction time. 


Finish without rebooting (only Android) - This feature allows to finalize an Android flow without 
rebooting a device. It will keep the device in AFU state. 


Hash methods 
Option to select one of the following hashing algorithms used to hash the extraction: 


» 


SHA-256 
* MDS 
Logs 
Option to select one of the following levels of logging: 
” ULG Logs - Used for debugging. 
Export Application Logs - Button for exporting the application logs. 
Language 


Option for choosing the language of the application user interface. 


Extraction path: 
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Option for specifying the default location of the extraction folder where extraction files will be saved. 
Click on the folder icon to select a folder. This can be changed later, and only sets the default location. 


Usage Data 


Allows Cellebrite to collect your usage data with the goal of improving the product. Only diagnostic 
telemetry data is collected, but no personal identifiers are included. 


App Categorization 


Allows users to import a downloaded application category list which can be used to categorize 
applications during a Selective by App extraction. This download can be found on MyCellebrite portal. 


» 


DB file path: 

This selects the file path for the database for App Categorization. It specifies the location from 
where App categorization database files can be imported. Click BROWSE. The Import categories DB 
file dialog opens. Click the folder icon to select the Data base files (*.db. Click Open. The path is 
displayed under Path. Click Ok. 


7.2. Version Tabs 


Displays the application version number and build date. 
When a new application version is released, do the following: 
1. Download the new Cellebrite CPKG file to your computer. 


2. Click UPDATE VERSION and select the Cellebrite CPKG file from where you downloaded it. 


7.3. Activity Log 


This is where the activity log of the application is displayed. The log is reset with each update. 
To delete the log, click Clear. 


To export the log as a CSV file, click Export. 


Activity log © Clear 1 Export 


Vendor Model Session Id Transaction type Start date End date Duration Status 


7.4. License Tab 


This is where the license information is displayed. It does not list the remaining available credits. To 
view available actions, visit the MyCellebrite community portal. 
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7.5. Commander Tab 


In this tab, you can configure Inseyets Offline UFED to be managed by Cellebrite Commander. 


For instructions about connecting to Commander, see the Cellebrite Commander User Manual. 
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8. Support and Troubleshooting 


The following sections guide you through issues you might have using Inseyets Offline UFED. 


8.1. Supported Devices 

The following sections describe how to check for supported devices. 

8.1.1. From the Application 

From the home screen of the application, you can query if a device is supported or not. It will show if 


the device has been successfully processed based on usage data. Only one entry per search is 
displayed. The full database is available on the MyCellebrite Community Portal. 


To use the inApp Supported device feature, you need to be connected to the 
Internet and Sharing Data with Cellebrite needs to be enabled. 


8.1.2. From the MyCellebrite Community Portal 


The full database of supported devices is available on the MyCellebrite Community Portal 


(https://community.cellebrite.com/s/supported-device). This can be found from the main page by 


clicking Is your device supported. 


Device Vendor ¥ Model ¥ Chipset ¥ 


Marketing Se 
Name 


iPhone 11 
Apple N/A A13 iOS 15.4 (19E241) Brute-force 2023-11-02 
(N104AP) 


Oppo N/A OPPO A52 SDM665 2023-02-01 User data 2023-11-03 


Before first unlock 
Samsung Galaxy A13 5G SM-A136U. MT6833V/NZA . 2023-06-01 BFU) 2023-11-02 
( 


Samsung Galaxy A71 5G SM-A716U. LITO 2022-01-01 Brute-force 2023-11-01 


File system- se- 
Samsung Galaxy S9+ SM-G965U SDM845, g 2019-11-01 2023-11-03 
cure folder 


Galaxy S21 Ultra 
Samsung & SM-G998U SM8350 2023-10-01 User data 2023-11-02 


Before first unlock 
Samsung Galaxy $22 Ultra © SM-S908U SM8450 2022-11-01 (aru) 2023-11-02 


File system- se- 
Samsung Galaxy $23 SM-S911U ‘M8550 . 2023-10-01 2023-11-04 
cure folder 


Tel TCLA3 AS09DL MT6765 2021-09-01 Brute-force 2023-10-31 


Xiaomi N/A Redmi note 8 pro MT6785 2021-10-01 User data 2023-11-04 
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Inseyets Offline UFED also has a support matrix for both iOS and Android. The iOS and Android Support 
Matrix is available for download from the MyCellebrite Community Portal. They can be found in the 
product download section under Technical Data Sheet. 


Y Technical Data Sheet 


4 Download 
Cellebrite Premium 7.66 Android Support Matrix 


4 Download 
Cellebrite Premium 7.66 iOS Support Matrix 


8.2. Getting Support 


There are several ways to obtain the assistance of the Technical Customer Support Team. 


8.2.1. From the Application 


8.2.1.1. Using the floating Support Ticket Button 


To ensure that contacting customer support is a streamlined and seamless experience, a floating 
Support Ticket button is provided, with the following features: 


” The button is always available from all main and pop-up screens. 


” Logs, which are often required for support, can be exported from all main and pop-up 
screens. 


The Support Ticket button is available from any screen, as shown in the following sample screen, where 
it appears in the upper-right corner. 


. 3 ® Commander @ EVS | Resources 
UFED 


Select an action 


Device status 


Samsung Galaxy Galaxy S22 Snapdragon 8 Android 9 


20222-05-12 Full disk encryption Hot JS 


Extraction path: 


Progress console Access 


completed 
successfully 


Finish Physical App Selective Full File System 
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The Support Ticket button is also available from any dialog, as shown in the following sample screen, 
where it appears in the lower-left corner. 


Streamline Settings €D 


Case Details 
Case ID © Device owner © 


Robbery Suspect 


Created by © 


Danny Shovevani 


Extraction Settings 


Device status Extraction Path © 


E:\input\Extraction 
Extraction: | 


Report in Inseyets PA 


UFDOR 


You have the option to attach the logs and screen shots to the support ticket, as described in the next 
section. 


You can create a support ticket from within the application by clicking the tools button in the top right 
corner and then selecting Help > Report an issue > Open new ticket. 


© Resources 


Settings 
Open new ticket Report an issue Help 


Ticket file transfer Export logs 


Supported device matrix 


Android 


You have the option to attach the logs and screen shots to the support ticket. 
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Support Ticket 


Subject 


Full name Device model 


Brief description of issue 


& Attach File Share screenshot 


Discard 


8.2.2. Through the MyCellebrite Portal 


You can create a support case by logging into the MyCellebrite portal, or chat live with a Technical 
Customer Support agent. 


8.3. Exporting Logs 


If Technical Customer Support requires application logs, you can export the application logs from the 
following locations: 


” The Settings menu. Settings > System > Export Application Logs 


» 


The Main menu. Click the Tools button in the top right corner > Help > Export Logs 


You have the option to export All logs, which contain all the logs for the application, or Last Session, 
which only contain the logs for the last active session. 
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8.4. Turbo Link LED Indicators 


The Turbo Link status is displayed by its LED indicator lights as shown in the table below: 


aa ca 


Green Receiving commands. 
fea | ating for cheetah service connection. 


Connection established, waiting for cheetah service 
commands. 
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